Scan free
CRITICALCVE-2025-64538CVSS 9.3

CVE-2025-64538: XSS in Adobe Experience Manager

Platform

adobe

Component

adobe-experience-manager

Fixed in

6.5.24

AI Confidence: highNVDEPSS 0.7%Reviewed: May 2026
View on NVD
Save

CVE-2025-64538 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager versions 6.5.23 and earlier. This vulnerability allows an attacker to inject malicious scripts into a web page, which are then executed within the context of a victim's browser. While exploitation requires user interaction (visiting a crafted page), the potential impact is severe, including session takeover and data breaches. Adobe has released updates to address this issue.

Impact and Attack Scenarios

The primary impact of CVE-2025-64538 is the potential for arbitrary code execution within the victim's browser. An attacker can leverage this to steal session cookies, redirect users to malicious websites, or deface the website. The vulnerability’s DOM-based nature means that the attacker doesn't necessarily need to control the entire page, only a specific element. This makes it easier to exploit than traditional XSS vulnerabilities. The ability to achieve session takeover significantly increases the confidentiality and integrity impact, as an attacker can impersonate legitimate users and access sensitive data. The blast radius extends to any user who interacts with a page containing the injected script.

Exploitation Context

CVE-2025-64538 was publicly disclosed on December 10, 2025. While no public proof-of-concept (PoC) code has been released at the time of writing, the vulnerability's nature and severity suggest a high probability of exploitation. It is not currently listed on the CISA KEV catalog. The potential for session takeover makes this a high-priority vulnerability to address.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.73% (72% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N9.3CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentadobe-experience-manager
VendorAdobe
Affected rangeFixed in
0 – 6.5.236.5.24

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 165 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-64538 is to upgrade to a patched version of Adobe Experience Manager. Adobe has released updates to address this vulnerability; refer to the official Adobe security advisory for specific version details. If immediate patching is not possible, consider implementing strict input validation and output encoding on all user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your Experience Manager instance for vulnerabilities using automated security tools.

How to fix

Update Adobe Experience Manager to a version later than 6.5.23. This will resolve the DOM-based XSS vulnerability. Refer to the Adobe security advisory for more details and specific upgrade instructions.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-64538 — XSS in Adobe Experience Manager?

CVE-2025-64538 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability in Adobe Experience Manager versions 0–6.5.23, allowing attackers to inject malicious scripts and potentially take over user sessions.

Am I affected by CVE-2025-64538 in Adobe Experience Manager?

If you are using Adobe Experience Manager versions 6.5.23 or earlier, you are potentially affected by this vulnerability. Check your version and upgrade as soon as possible.

How do I fix CVE-2025-64538 in Adobe Experience Manager?

Upgrade to a patched version of Adobe Experience Manager. Refer to the official Adobe security advisory for specific version details and patching instructions.

Is CVE-2025-64538 being actively exploited?

While no public exploits are currently known, the vulnerability's severity suggests a high probability of exploitation. Proactive patching is highly recommended.

Where can I find the official Adobe advisory for CVE-2025-64538?

Refer to the official Adobe Security Bulletin for details: [https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm](https://www.adobe.com/security/advisories/AdobeSecurityBulletin.htm)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs